You are not logged in.
Hi All,
I'm trying to get an NFC fido2 token to unlock an encrypted root partition, however, it always times out and falls back to the passcode. I attempted to add it to the initramfs, but the PC/SC daemon doesnt start.
Heres the mkinitcpio.conf:
MODULES=(btrfs)
...
BINARIES=(/usr/bin/btrfs pcscd opensc-tool)
...
FILES=()
...
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt sd-encrypt-opensc filesystems fsck)I am able to enroll the key just fine, and it shows up under systemd-cryptenroll:
No device specified, defaulting to '/dev/sda2'.
SLOT TYPE
0 password
1 fido2I am prompted for a LUKS2 token pin, and the security key pin before it times out.
If it is relevant, im using limine:
timeout: 3
/Arch Linux
protocol: linux
path: boot():/vmlinuz-linux
cmdline: quiet rd.luks.name=UUID_REDACTED=root rd.luks.options=fido2-device=auto root=/dev/mapper/root rw rootflags=subvol=@ rootfstype=btrfs
module_path: boot():/initramfs-linux.imgAm I missing a library or binary? I know the key is fine, as I can use it for webauth and even pam modules. This is in a VM, and the reader is being passed through USB. I am unable to use a contact smart card as the key is implanted under my skin.
Offline
from my own playaround with multi-protocol smartcards (yubikey and similar) fido != pcsc but they usually rather show up as hidraw instead
pcsc / opensc is mainly for pkcs11 like pgp and piv - fido is implemented differently
anyway: cool stuff, tho
Offline
but they usually rather show up as hidraw instead
That's true for the USB keys, I'm not sure if it's true for the NFC ones. I haven't checked exactly what device the token shows up as when scanned. I have thought about adding the libraries/files from the CCID pakage. Would it be as simple as adding ccid to modules?
Offline
well - for scanning a nfc "card" you need a reader at least - so i guess the question is: as what kind of device does the reader show up?
Offline